Notes:
FIPS_mode() is not implemented in LibreSSL and this API is removed in OpenSSL 3.0 and was introduced in 0.9.7. Added guards around making this call.
Credit:
Will Cosgrove
File:
packet.c
Notes:
Attempt keyboard interactive login (Azure AD 2FA login) and use more than 60 seconds to complete the login, the connection fails.
The _libssh2_packet_require function does almost the same as _libssh2_packet_requirev but this function sets state->start = 0 before returning.
Credit:
teottin, Co-authored-by: Tor Erik Ottinsen <tor.ottinsen@kdi.kongsberg.com>
Files: hostkey.c, userauth.c, test_public_key_auth_succeeds_with_correct_ecdsa_key.c
Notes:
Support ECDSA certificate authentication
Add a test for:
- Existing ecdsa basic public key authentication
- ecdsa public key authentication with a signed public key
Credit:
kkoenig
Files: agent.c, agent.h, agent_win.c
Notes:
* agent: Add support for Windows OpenSSH agent
The implementation was partially taken and modified from that found in
the Portable OpenSSH port to Win32 by the PowerShell team, but mostly
based on the existing Unix OpenSSH agent support.
https://github.com/PowerShell/openssh-portable
Regarding the partial transfer support implementation: partial transfers
are easy to deal with, but you need to track additional state when
non-blocking IO enters the picture. A tracker of how many bytes have
been transfered has been placed in the transfer context struct as that's
where it makes most sense. This tracker isn't placed behind a WIN32
#ifdef as it will probably be useful for other agent implementations.
* agent: win32 openssh: Disable overlapped IO
Non-blocking IO is not currently supported by the surrounding agent
code, despite a lot of the code having everything set up to handle it.
Credit:
Co-authored-by: Gabriel Smith <gabriel.smith@precisionot.com>
Notes:
* Make _libssh2_random return code consistent
Previously, _libssh2_random was advertized in HACKING.CRYPTO as
returning `void` (and was implemented that way in os400qc3.c), but that
was in other crypto backends a lie; _libssh2_random is (a macro
expanding) to an int-value expression or function.
Moreover, that returned code was:
— 0 or success, -1 on error for the MbedTLS & WinCNG crypto backends
But also:
— 1 on success, -1 or 0 on error for the OpenSSL backend!
– 1 on success, error cannot happen for libgcrypt!
This commit makes explicit that _libssh2_random can fail (because most of
the underlying crypto functions can indeed fail!), and it makes its result
code consistent: 0 on success, -1 on error.
This is related to issue #519https://github.com/libssh2/libssh2/issues/519
It fixes the first half of it.
* Don't silent errors of _libssh2_random
Make sure to check the returned code of _libssh2_random(), and
propagates any failure.
A new LIBSSH_ERROR_RANDGEN constant is added to libssh2.h
None of the existing error constants seemed fit.
This commit is related to d74285b68450c0e9ea6d5f8070450837fb1e74a7
and to https://github.com/libssh2/libssh2/issues/519 (see the issue
for more info.) It closes#519.
Credit:
Paul Capron
file: userauth.c
notes: libssh2 now supports many other key types besides RSA, if the library is built without RSA support and a user attempts RSA auth it shouldn't be an automatic error
credit:
Will Cosgrove
File: bcrypt_pbkdf.c
Notes:
blf_enc() takes a number of 64-bit blocks to encrypt, but using
sizeof(uint64_t) in the calculation triggers a warning with
clang 10 because the actual data type is uint32_t. Pass
BCRYPT_BLOCKS / 2 for the number of blocks like libc bcrypt(3)
does.
Ref: 04a2240bd8Fixes#562
Credit:
Viktor Szakats
* kex.c: kex_agree_instr() improve string reading
file: kex.c
notes: if haystack isn't null terminated we should use memchr() not strchar(). We should also make sure we don't walk off the end of the buffer.
credit:
Will Cosgrove, reviewed by Michael Buckley
File: kex.c
Notes:
Moved the macro LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY outside of the LIBSSH2_ECDSA since it's also now used by the ED25519 code.
Sha 256, 384 and 512 need to be defined for all backends now even if they aren't used directly. I believe this is already the case, but just a heads up.
Credit:
Stefan-Ghinea
The old function would set the least significant bits in
the most significant byte instead of the most significant bits.
The old function would also zero pad too much bits in the
most significant byte. This lead to a reduction of key space
in the most significant byte according to the following listing:
- 8 bits reduced to 0 bits => eg. 2048 bits to 2040 bits DH key
- 7 bits reduced to 1 bits => eg. 2047 bits to 2041 bits DH key
- 6 bits reduced to 2 bits => eg. 2046 bits to 2042 bits DH key
- 5 bits reduced to 3 bits => eg. 2045 bits to 2043 bits DH key
No change would occur for the case of 4 significant bits.
For 1 to 3 significant bits in the most significant byte
the DH key would actually be expanded instead of reduced:
- 3 bits expanded to 5 bits => eg. 2043 bits to 2045 bits DH key
- 2 bits expanded to 6 bits => eg. 2042 bits to 2046 bits DH key
- 1 bits expanded to 7 bits => eg. 2041 bits to 2047 bits DH key
There is no case of 0 significant bits in the most significant byte
since this would be a case of 8 significant bits in the next byte.
At the moment only the following case applies due to a fixed
DH key size value currently being used in libssh2:
The DH group_order is fixed to 256 (bytes) which leads to a
2047 bits DH key size by calculating (256 * 8) - 1.
This means the DH keyspace was previously reduced from 2047 bits
to 2041 bits (while the top and bottom bits are always set), so the
keyspace is actually always reduced from 2045 bits to 2039 bits.
All of this is only relevant for Windows versions supporting the
WinCNG backend (Vista or newer) before Windows 10 version 1903.
Closes#521
Files: kex.c
Notes:
Added key exchange group16-sha512 and group18-sha512. As a result did the following:
Abstracted diffie_hellman_sha256() to diffie_hellman_sha_algo() which is now algorithm agnostic and takes the algorithm as a parameter since we needed sha512 support. Unfortunately it required some helper functions but they are simple.
Deleted diffie_hellman_sha1()
Deleted diffie_hellman_sha1 specific macro
Cleaned up some formatting
Defined sha384 in os400 and wincng backends
Defined LIBSSH2_DH_MAX_MODULUS_BITS to abort the connection if we receive too large of p from the server doing sha1 key exchange.
Reorder the default key exchange list to match OpenSSH and improve security
Credit:
Will Cosgrove
Files:
mbedtls.c, mbedtls.h, .travis.yml
Notes:
This PR adds support for ECDSA for both key exchange and host key algorithms.
The following elliptic curves are supported:
256-bit curve defined by FIPS 186-4 and SEC1
384-bit curve defined by FIPS 186-4 and SEC1
521-bit curve defined by FIPS 186-4 and SEC1
Credit:
Sebastián Katzer
File: openssl.c, openssl.h, crypto.h, kex.c
Notes:
This cleans up a few things in the curve25519 implementation:
- There is no need to create X509_PUBKEYs or PKCS8_PRIV_KEY_INFOs to
extract key material. EVP_PKEY_get_raw_private_key and
EVP_PKEY_get_raw_public_key work fine.
- libssh2_x25519_ctx was never used (and occasionally mis-typedefed to
libssh2_ed25519_ctx). Remove it. The _libssh2_curve25519_new and
_libssh2_curve25519_gen_k interfaces use the bytes. Note, if it needs
to be added back, there is no need to roundtrip through
EVP_PKEY_new_raw_private_key. EVP_PKEY_keygen already generated an
EVP_PKEY.
- Add some missing error checks.
Credit:
David Benjamin
File: transport.c
Notes:
This is to fix#102, instead of continuing to attempt to read a disconnected socket, it will now error out.
Credit:
TDi-jonesds
Avoid the use of RtlGetVersion or similar Win32 functions,
since these depend on version information from manifests.
This commit makes the WinCNG backend first try to use the
new DH algorithm API with the raw secret derivation feature.
In case this feature is not available the WinCNG backend
will fallback to the classic approach of using RSA-encrypt
to perform the required modular exponentiation of BigNums.
The feature availability test is done during the first handshake
and the result is stored in the crypto backends global state.
Follow up to #397Closes#484
file: transport.c
notes:
moving total_num zero length check from #476 up to the prior bounds check which already includes a total_num check. Makes it slightly more readable.
credit:
Will Cosgrove
File: hostkey.c
Notes:
These types are the same size so most compilers are fine with it, but CodeWarrior (on classic MacOS) throws an ‘illegal implicit conversion’ error
Credit: Brendan Shanks
File:
Openssl.c
Notes:
* Fix for use of uninitialized aes_ctr_cipher.key_len when using HAVE_OPAQUE_STRUCTS, regression from #439
Credit:
Hans Meirer, Tseng Jun
